DPO Daily

Pragmatism isn’t popular with everyone. Simply for seeing merit in compromise and meeting decision makers halfway, some people regard me as a sociopathic corporate stooge, doing the bidding of my neo-liberal overlords. Especially when I fail someone else’s purity test, I find data protection dogma to be bewildering. After all, European DP law has always been a Frankensteinian creation, an ungainly combination of high-minded human rights and hard-edged capitalism. The 1995 DP Directive was a product of the Single Market, facilitating transfers of data across borders in return for rights. The GDPR is a similarly mixed bag: “This Regulation is intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union, to economic and social progress, to the strengthening and the convergence of the economies within the internal market, and to the well-being of natural persons.” That's a lot of different aspirations, making a rather queasy whole. In that light, I don’t claim I’m here to save the world; indeed, I don’t think data protection is intended to. Its impact is incremental and case by case, rather than being an almighty truth bomb that can transform society. That’s why I like it: you don’t have to wait for deliverance. You can do something worth doing today. If people want to campaign, or even preach, talking about how they think things should be rather than how they are, that’s up to them. For some, passion is an inherently positive characteristic and a lot of people find sermons to be emotionally satisfying. But indignation, no matter how righteous, is difficult to control and can be annoying to listen to. Moreover, if your doctrine doesn’t allow for alternative approaches, if people who don’t take the same approach as you are condemned as heretics, you're certainly not winning me as a convert any time soon. When trying to persuade individual organisations and people to take data protection seriously, especially on specific issues, I find pragmatism to be more effective than hectoring or emotional outbursts. I’ve never persuaded anyone to do anything on the basis of an impassioned plea about human rights, but I’ve encouraged a lot of people to do good things with subtler tools. Admittedly, my measurable success in favour of better information handling, respect for individual rights and a proper, mature assessment of risks to vulnerable people rarely if ever stretches outside one organisation at a time. My wins wouldn’t sound epic if I trumpeted any one of them. But I’m very comfortable about how many of them there are. I'm taking a week off to venerate the Elder Gods of Data Protection and seek their counsel (AKA: catch up on a backlog of work). See you next Saturday.

A little while ago, I joined a membership organisation. As part of the sign up, I was obliged to agree to T&Cs that included the use of personal data to make members aware of membership benefits (probably marketing according to ICO enforcement on Amex and Unite) and to send offers from their partners (definitely marketing). Recently, I received one of the partner emails and it made me wonder about the legality of all this. I signed up with a corporate subscriber email address which means that they didn’t need consent for marketing. But they would still need to do a legitimate interest assessment for both sorts of email. If they thought legitimate interests covered sending the emails, why did they make me agree to receive them? What do they think that gave them? But if they think the messages are contractually necessary (they’re not, but people are daft sometimes), why do they offer an unsubscribe option? It gets more complicated when you consider that one of the membership options is ‘Individual’. I bet a fair proportion of people sign up with an individual subscriber address. This means that the organisation needs consent to send marketing emails. They can't rely on the soft opt-in: there's no opt-out at the point of providing the email address and it doesn't apply to partner offers anyway. So they definitely don’t have a lawful basis to send messages to any individual subscriber members, and the mess around the forced agreement makes me suspicious of whether they understand legitimate interests. The fact that they justify transfers of data to the US using Privacy Shield in the T&Cs is the icing on a cake that looks half-baked. There is no right to send messages to your members. It isn’t necessary as part of a contract to remind members of their benefits. Promoting products and services offered by other people by email or text is always direct marketing, and getting consent for it is tricky. As I have said this week already, the lazy way out of a marketing mess is to point at the unsubscribe option as a universal get-out-of-jail-free card. Especially if you’re the kind of organisation that really ought to understand this stuff, it’s not an attractive answer.

I mentioned a wave of unwelcome spam washing into my inbox yesterday. In a bid to hold back the tide, I asked one company - a reasonably well-known outfit if not a household name - where they had obtained data about me from. They confirmed the name of the broker and then I asked them if they'd share their legitimate interests assessment with me. They gave me a flavour - their legitimate interests were pretty obvious, but the factors on the other side were interesting. As always, they said recipients can opt-out from the start, but they said that "business contacts" are more likely to expect data about them to be processed in a business context and the impact will be lower. I think the first part is definitely true - I expect to get untargeted spam to my business address, but only because I know that because they don't need consent. The impact is the same either way - spam is irritating whoever you get it from. The striking element was the first. The original email I received looked like it was from this company but it wasn't. It was from the data broker (to whom I will return on another day). They host a spam email from the company, and then if recipients open the email, they sell the contact to them. Opening an email is interpreted as interacting positively. "This indicates a level of interest in our product." they said. I think this is flawed thinking. You have to open the email to unsubscribe - admittedly, this would stop any further contact but it's hardly positive interaction. It's also the only way to contact them to find out why they sent the message i.e. the reason I opened it. The logic here is very convenient: you opened our email, so we can send you more. Given that I didn't ask for it in the first place, that seems like a rather strange assumption. I'm not naming and shaming the company: the DPO had no obligation to tell me about the legitimate interests assessment and they were clearly trying to be helpful. I disagree with their conclusions, but I've been stonewalled and ignored enough times to be grateful for someone taking the time to explain their thinking. SIDENOTE: I've seen outrage in the past from people when companies don't reveal LIAs or DPIAs on request. This is where data ethics shows its limitations. As fervently as you believe that a company *should* tell you something, unless they choose to, there's nothing you can do because the UK GDPR only requires organisations to say what their interest is, not what the details of the assessment are.

I've recently had a little wave of B2B spam; it's the usual un-targeted waffle, inevitably addressed to Timothy (paging the Ting Tings) with no hint of whether they’d scraped my email address personally or bought it from some who had. When I contacted them to find out who is selling my address, several have made a thing of telling me I can opt-out of their emails or assuring me that they've already done it for me, while not actually revealing the source. Sometimes, this is done apologetically, but especially in bigger companies, it's passive-aggressive. You can just opt-out, they say, with a subtext of 'instead of sending me this email'. Theoretically, a company doesn't need consent to send unsolicited spam as long as they carry out a legitimate interest assessment. But legitimate interests isn't a get out of jail free card. If your data use isn't transparent, your case for LI falls apart. None of these companies are upfront about where they got my address from and that should be an inherent part of this kind of marketing. I suspect I'm preaching to the converted here, but there is a widespread belief that so-called B2B marketing is a free-for-all, that you can buy a list of contacts and send 'cold emails' to whoever you like as long as they’re at work. In reality, the PECR-imposed requirement for consent isn't present, but everything else in the GDPR is. It's true that I could choose to unsubscribe, but I want to stop this tedious dross in batches rather than one by one. My advice to DPOs in spam-happy companies is this: if I'd been content simply to unsubscribe, I would have done that. A person who is bothered enough to ask for the source isn't likely to be fobbed off.

Frozen food magnate and nepo baby Richard Walker has had things to say about how data protection gets in the way of fighting shoplifters. The “Executive Chairman” of Iceland appeared on Gloria Del Piero’s Lessons in Leadership podcast, and his comments were reported in the Times and have filtered into the retail press too. We are fighting with one hand tied behind our backs, he claimed. Walker asserted that it is illegal for his staff to share images of shoplifters on ‘high street WhatsApp groups’ because of data protection laws. But keen to present himself as the Big Man, Walker said that he has told his staff to do it anyway and he will take the rap. What a brave boy. I’ve listened to the podcast and while I don’t doubt his concern about assaults on his staff, the data protection bit is just a flourish, an opportunity for Walker to show off. The report in the Mail even overplays how much he said, attributing some of Del Piero’s remarks to him. It’s about two minutes of a 30 minute programme, so it’s not as if he attempts any kind of serious analysis. Speaking of which, the Information Commissioner's Office is quoted in several outlets in response to his comments, saying that images can be shared to prevent crime if 'necessary and proportionate'. But they supposedly said that sharing images of alleged shoplifters either on social media or physical pictures in shop windows was not likely to be seen as proportionate. Like a lot of data protection issues that spill out into the mainstream media, this one is being oversimplified. If Walker thinks that sharing images on WhatsApp is explicitly forbidden, he’s wrong. As the Commissioner said, you can use all sorts of data to prevent or detect crime. Indeed, UK data protection law is deferential to the need to deal with crime and offending. If sharing images genuinely helps staff to stay safe and prevent crime, they can do it. If retailers use a safe, controlled and secure environment to exchange CCTV images of people shoplifting, that could be justified. Whether WhatsApp is the best place to do this is for people like Walker to explain, rather than making sweeping statements about laws he doesn’t understand. I suspect there are better ways to exchange data that a ‘high street WhatsApp group’ but that would require thinking and planning, whereas I suspect that Walker (who admits on the podcast he likes getting his face in the media) just saw a chance for a sound bite. Whether helping to perpetuate widespread ignorance over how data protection works will do anything to assist the people on the frontline of his stores, folk who face far greater risks than softball questions from Gloria Del Piero, is hard to say. Ironically, Iceland staff can probably do whatever they like with images because the ICO is so unlikely to do anything either way, so Walker’s boasts about taking the rap are doubly hollow.

A chorus of politicians are leaping on an admittedly odd sounding incident at the Police Ombudsman of Northern Ireland. A document containing staff data was emailed to job applicants and the politicos claim it’s evidence of wider malaise, pointing to the current absence of the organisation’s Chief Executive. When something untoward happens to personal data, some people immediately assume that there’s an underlying problem. For them, human error simply doesn’t exist; it’s always evidence of a corporate failing. This can be based on the belief that every incident can be prevented, and sometimes it’s rooted in a semi-political mentality. All organisations are bad, this thinking goes, and data breaches are just more evidence of their iniquity. I’m somewhere in the middle. I think some organisations are quick to blame human error to avoid awkward questions about how they’re run. For example, Hackney Council attempted to dodge blame for their disastrous hack in 2020, claiming that they had appropriate security and were the victim of a succession of accidents. There are a number of facts in the case that show this to be untenable (see the ICO reprimand or my webinar for more). But at the same time, I agree with Hackney’s argument that you shouldn’t judge whether there’s a breach of the law based on the fact that an incident occurred. GDPR’s security provisions aren’t based on strict liability and sometimes, despite your best efforts, people make unforeseeable mistakes or something completely unpredictable happens. The law requires you to do as much as you can to foresee what might go wrong and try to prevent it, not achieve error-free perfection. I’m not assuming anything about the PONI incident. It sounds weird that such a document could be sent without anyone checking, but at the same time, what difference would an absent Chief Exec make to the handling of an individual recruitment exercise? At the very least, PONI deserve a chance to investigate and explain. Some people have already found them guilty, but one of the many things a data protection practitioner needs is an open mind. https://lnkd.in/encwrV_H

Alas, I am out in the cold, spurned by another awards body. Like Salieri, I am unappreciated in my time, my genius unrecognised. Don't worry kids, I'm not planning to psychologically terrorise any of you with a complex scheme involving your dad, and if you're not getting these references, I don't care. I don't know anyone who isn't delighted by being nominated for the Big Privacy Awards announced this week. But a while back, a friend of mine who works in another sector was nominated for an award and they were, shall we say, somewhat conflicted. The awards in question were very jazzy and commercialised and my friend is a very serious and ethical sort for whom they were very much Not Their Kind Of Thing. SIDENOTE: why would such a paragon be friends with a reprobate like me? They'll get the reference, that's why. Anyway, the noms included a photo scraped from a website. A notable thing about this week is I've only seen people announcing their own nominations. They're using materials that appear to be provided by the organisers, but it's plainly by choice. My friend's experience was different. It was all from the organisers: posts about the awards in general and at least one which featured them individually. None of this happened with consent. The first they knew about it was when they saw their face in a social media post. They told me about this assuming that there wasn't anything they could do about it. So I said: use your objection rights. Tell them you want the posts deleted and your name removed from the list of nominations. They're processing your data under legitimate interests and they have no overriding reason to do so if you object. She tried it and was refused: they said she was nominated in good faith by one of her peers, and they had a legitimate interest in reflecting that. It would damage the integrity of the awards if they pulled her nomination after it has been announced. I wrote a follow-up for them and while I was happy with it, it wasn’t the most accurate thing I’ve ever produced. I stand by what I said about legitimate interests: I think many purely commercial uses of LI melt on receipt of an objection but this one definitely did. The inaccurate part was my blood-curdling description of the regulatory consequences if they didn’t back down. What I found interesting was their sense that somehow this wasn’t what objection was about; they understood the right, but couldn’t comprehend how a person could exercise their rights in such a way that they had to change what had already been announced. I dread to think what the ICO would have made of it, but my bluster paid off and without any fanfare, the noms were revised. I don’t believe in data ownership and I think subject control is very limited. But when consent and LI are involved, there is some control available. If your organisation chooses to process personal data, this is a privilege not a right and it can be challenged.

I’ve now done this session twice but I am happier with the second version: this is a webinar about the recent Information Commissioner's Office reprimand on Hackney Council following a massive cybersecurity incident. The council and the regulator don’t see eye to eye and SPOILER ALERT, I find the ICO’s case to be more persuasive. https://lnkd.in/evNY8edh

A kind correspondent tipped me off about a change to the Information Commissioner's Office guidance on special categories data that I had missed. It's a small change, but evidence of which way the regulator is going. For a long time and entirely cynically, I have followed the ICO's lead: the Commissioner said that unless you apply an inference about an image or some other data, it usually isn't special categories data. Of course, if you do ascribe any sort of religious, ethnic, health or other protected characteristic to the image, special cats rules apply. This approach makes the use of CCTV and images much easier in general. I warn people that the ICO isn't necessarily right and they might change their mind. "We followed the ICO's guidance" may or may not stand up in court but so far, nobody I know has had to try. But possibly due to a European case - i.e. OT v Vyriausioji tarnybinės etikos komisija (Chief Official Ethics Commission, Lithuania) (Case C-184/20) - the approach is less sure. They specifically use marital status as an example that indirectly reveals sexual orientation, which is essentially what the case said. "If the information in itself clearly reveals or concerns something specific and definite about one of the special categories, that counts as special category data". I think there's room for doubt here: images and names don't always offer certainty or specificity about the possible special categories content, but on the other side, the definition of special categories doesn't hinge on the intentions of the controller or the possible harm: if the data is special categories, that's that. If the Commissioner is saying that some data effectively reveals the characteristic, then that's their position. Inferences count where you intend to process on the basis of an inferred special category or treat people differently because of the inference. Their summary is that "The guidance no longer focuses on the certainty of an inference as a relevant factor to decide whether it counts as special category data". I don't know if I agree with the ICO that their underlying policy position hasn't changed. The Commissioner is often incapable of admitting when their interpretation of DP has changed (their denial about excluding the public sector from the definition of marketing verged on gaslighting). But in this case, even if they have changed, if it's because of an EU court case, that's not a stupid reason and regardless of why it's happened, they've explained it clearly enough. What this means for public space surveillance, photographs of public events and other image-based processing is.... one to ponder. But it is what it is, and anyone using data involving images needs to consider it carefully.

I happened upon a service offered by a company offering “Social media screening to comply with new KCSIE guidelines”. Aspects of the Keeping children safe in education (AKA KCSIE) guidelines have proven controversial, not least paragraph 226: “... as part of the shortlisting process schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview. Schools and colleges should inform shortlisted candidates that online searches may be done as part of due diligence checks.” I’m not the first to comment on this, but two things here. First is the unhelpful vagueness: do you trawl the applicant’s Instagram or not? Schools should ‘consider’ doing it as it ‘may’ help identify any incidents. It’s not a requirement (although unions think Ofsted treat it as such), but you should definitely think about it. That’s quite the can of worms you opened and then gleefully handed to me. The second issue is transparency: the guidance acknowledges that candidates need to know a check will be carried out. I agree: GDPR transparency requires that candidates are told. I can easily argue for keeping monitoring secret as part of an investigation into specific allegations, especially if there are safeguarding or criminal concerns about an existing employee. I could also justify a secret probe into a candidate where suspicions have been raised (I’ve never been involved in school recruitment, so I’ve no idea how likely that would be to happen). Leaving that aside, being transparent about general ‘social media screening’ often causes disagreements. While I think the GDPR implications are clear, I’ve been repeatedly told that telling people allows them to clean up accounts and hide their guilty secrets. It’s all in the public domain anyway, so where’s the harm? I persuaded one manager of the flaws inherent in this by asking them to log into their Twitter account on a screen in a meeting room and inviting their team look at all of their likes. “Point. Taken.” she said firmly and we worked out something a bit more subtle. Of course, thanks to everyone’s favourite Apartheid Nepo Baby, Twitter likes are secret anyway. I am not saying I am definitively right here. I think the legally correct approach is transparency for general monitoring, secrecy only for specific investigations but I am keen to hear alternative ideas i.e. if you’re more in favour of secrecy and you’ve got a GDPR-friendly argument, comment below or message me. I’ll be polite. But as far as seeking out for this kind of business, especially as this company cites both employees and candidates as being targets for this service, I’ve got all flavours of Nope. This should be handled carefully and intelligently, not touted at £36.99 a pop.